DFIN Security Overview

Identify, Protect, Detect, Respond, Recover - The NIST Cybersecurity Framework is the backbone of DFIN security. DFIN understands the importance of maintaining a comprehensive and robust Information Security Program and maintains committed excellence towards our world class Information Security Program, data protection and the overall cybersecurity effectiveness.

Talk to an expert

Our systems, processes and experts leverage numerous tools to secure our clients data

  • SOC2 Type II audits
  • Secure Software Development support via static and dynamic application testing (SAST/DAST), code reviews, and software release analysis
  • Industry leading perimeter controls and next-gen firewalls
  • Comprehensive, ongoing vulnerability scans are conducted across all applications to quickly identify and mitigate cyber vulnerabilities
  • Commitment to GDPR and other data protection regulations
  • Extensive employee security awareness and training
  • AES 256-bit encryption is used to protect data at rest
  • AES 256-bit encryption is used to protect data in transit
  • 24/7/365 security monitoring and alerting
  • Advanced email and threat prevention technologies
  • Use of next-gen antivirus, anti-malware, and advanced endpoint protection technologies
  • Annual third-party penetration testing with each finding’s remediation effort independently validated
  • Rigorous governance and compliance controls

IT governance, risk and compliance

SOC 2 Type II

  • Annual SOC 2 Type II ActiveDisclosure Audit and Report
  • Annual SOC 2 Type II Global Investment Companies (GIC) Audit and Report
  • Annual SOC 2 Type II Venue + HiTrust Audit and Report
  • Annual SOC 2 Type II Global Capital Markets (GCM) audit and report

AICPA Trust Service Principles

Rigorous Governance Program in Place Leveraging the AICPA Trust Service Principles of Security, Availability, and Confidentiality

ISO 27001 certificate for the Enterprise

DFIN maintains ISO 27001 certification for the Enterprise

NIST CSF

  • Comprehensive IT Risk Management Processes
  • Dedicate Supply Chain Security and Third-Party Risk Management
  • IT Governance over Policy, Procedures and Standards
  • IT GRC Reports Directly to the Chief Information Security Officer

Application security

Encryption

  • Data transmission is encrypted while in transit via TLS v1.2
  • Static and Dynamic Application Security Testing technologies
  • AES 256-bit encryption is used to protect data while at rest
  • AES-256-bit encryption is used to protect database files

Identity Access Management

Multifactor Authentication and customer Single Sign-On integration fully supported

Azure Key Vault used for key storage

Zero Trust internal system Privileged Access Management

Identity Lifecycle automation implemented internally

Threat Management

Performed continuously, leveraging state-of the-art threat management tools

 
 

Penetration testing

Annual third-party Penetration Testing for independent verification of DFIN product’s security posture

  • Comprehensive penetrating testing leveraging independent 3rd party for ongoing and routine network and system testing
  • Penetration testing includes externally facing products and network infrastructure
  • Remediation validation conducted by independent third-party

Application development

Code reviews

Performed multiple times throughout the development process

Rigorous QA

Testing process is in place to identify potential issues early in the development process including SAST and DAST testing

SDLC and Continuous Integration / Deployment

DFIN embraces modern Software Development Life Cycle (SDLC) and Continuous Integration & Continuous Deployment (CI/CD) best practices aligned to a multi-environment (Integration, Quality Assurance, Staging, and Production) release promotion process

Infrastructure

Comprehensive Network Security

  • Infrastructure Security controls are in place (firewalls, IDS & IPS, logging, and security monitoring)

Technology Oversight

  • Regular network and server vulnerability scans
  • Regular OS patching (Microsoft security patches are applied each month)
  • Regular backup schedule
  • Hosted in Microsoft Azure
  • On Premise Data Hosting
Dannie Combs - Chief Information Security Officer 

From the desk of the CISO​

Led by Dannie Combs

SVP, Chief Information Security Officer 

Enterprise Security team supporting Security Incident and Response, Application Security, Network Security and Security Governance, Risk and Compliance, further supporting:

  • The use of security tools and utilities to scan and monitor DFIN assets
  • Security Response Team and process in place to address any potential vulnerabilities or events
  • Security monitoring and logging
  • Policy management - comprehensive policies including Information Security Policy and Security Awareness annual employee training
  • Cybersecurity incident response
  • Frequent, ongoing employee training programs and best practices
Phone expert Phone expert

We can provide additional information including our SOC 2 Type II report, once a Non-Disclosure Agreement is signed

Talk to an expert
Contact an Expert

Start the Conversation